cross-domain privacy-preserving collaborative firewall optimization
DESCRIPTION
Cross-Domain Privacy-Preserving Collaborative Firewall Optimization. Fei Chen Computer Science and Engineering Michigan State University Joint work with Bruhadeshwar Bezawada, and Alex Liu. Motivation. Business Network. Business Network. Internet. Home Network. Home Network. - PowerPoint PPT PresentationTRANSCRIPT
Cross-Domain Privacy-PreservingCollaborative Firewall Optimization
Fei ChenComputer Science and Engineering
Michigan State University
Joint work withBruhadeshwar Bezawada, and Alex Liu
2
MotivationBusiness Network
HomeNetwork
HomeNetwork
Business Network
The number of rules in a firewall significantly affects network throughput.
Internet
3
Many solutions have been proposed to eliminate redundant rules from a firewall
There could be a lot of rules that are common across a series of firewalls Common malicious website
Motivation
FW1 FW2
Net1 Net2
SIP DIP SP DP PR Dec
r1' 1.2.*.* 192.168.*.* * * TCP discard
r2' 2.3.*.* 192.168.*.* * * TCP accept
r3' * * * * * discard
SIP DIP SP DP PR Dec
r1 1.2.1.* 192.168.1.* * 25 TCP accept
r2 1.2.1.* 192.168.*.* 80 * TCP discard
r3 * * * * * accept
4
Motivation
Can we detect redundant rules across firewalls? How to preserve the privacy of firewalls that belong to
different parties?
FW1 FW2
Net1 Net2
SIP DIP SP DP PR Dec
r1' 1.2.*.* 192.168.*.* * * TCP discard
r2' 2.3.*.* 192.168.*.* * * TCP accept
r3' * * * * * discard
SIP DIP SP DP PR Dec
r1 1.2.1.* 192.168.1.* * 25 TCP accept
r2 1.2.1.* 192.168.*.* 80 * TCP discard
r3 * * * * * accept
5
Detect redundant rules across firewalls Single rule redundancy detection
• One rule in FW2 is covered by another rule in FW1
Multi-rule redundancy detection• One rule in FW2 is covered by multiple rules in FW1
Preserve privacy of two firewalls One party cannot figure out the firewall rules of another party
Problem Statement
FW1 FW2
Net1 Net2
SIP DIP SP DP PR Dec
r1' 1.2.*.* 192.168.*.* * * TCP discard
r2' 2.3.*.* 192.168.*.* * * TCP accept
r3' * * * * * discard
SIP DIP SP DP PR Dec
r1 1.2.1.* 192.168.1.* * 25 TCP accept
r2 1.2.1.* 192.168.*.* 80 * TCP discard
r3 * * * * * accept
6
Related work Firewall optimization
Local optimization has received intense study• Redundant rule removal
• TCAM optimization
Global optimization is impractical• No party likes to reveal its internal security requirements as this
information is sensitive and confidential
No prior work investigates cooperative optimization
Collaborative Firewall Enforcement in VPN It focuses on enforcing a firewall policy over VPN tunnels in a privacy
preserving manner It preserves the privacy of the remote network’s firewall and the
packets in VPN tunnels
While this paper preserves the privacy of different firewalls.
7
Basic building blocks Prefix membership verification
[3, 7]5
{011, 1**}
F (5)={101, 10*,1**,***}
Prefix family Prefix format
Prefix numericalization Prefix numericalization
{1011,1010, 1100,1000} {0111, 1100}
If these two sets have common elements, 5 is in [3, 7]
FW2 FW1
8
Simple but incorrect solutions (1/2)For preserving privacy
Two parties apply keyed hash function to each number
Drawbacks• Hash function is efficient• The length for IPv4 addresses is 32 bits• Each party can brute-force compute the hash value of each
number
[3, 7]5
{1011,1010, 1100,1000} {0111, 1100}HMAC hash HMAC hash
{hg(1011), hg(1010), hg(1100), hg(1000)} {hg(0111), hg(1100)}
FW2 FW1
9
Simple but incorrect solutions (2/2)For detecting redundant rules
Directly compare the rules of two firewalls It may find wrong rules as redundant rules in FW2
• r2 is covered by r2’, but it is not covered by r2’-r1’
It may only find a portion of redundant rules• As long as r2-r1 is covered by r2’-r1’, then r2 is a redundant rule
in FW2
FW2 FW1
accept
discardr2
r1'r2'
r1
10
Preserving privacy For preserving privacy, we use the commutative encryption.
11
Processing FW1
dFFraFFrdFFrdFFr
]15,0[]15,0[ : ']8 ,0[]7 ,5[ : ']15,5[]7 ,5[ : ']15,7[]4 ,0[ : '
214
213
212
211
FDD construction
[0, 4] [8, 15]F1
[0,15]
F2 F2
[0,4]
F2
[5,15] [0,15]
[5, 7]
a d dd
Extract non-overlapping rules with the discard decision
dFFnrdFFnrdFFnr
]15,0[]15,8[ : ']15,5[]7 ,5[ : ']15,0[]4 ,0[ : '
213
212
211
Convert ranges to prefixes
dd
d
**}*{***}*1{**}*1*,011,0101{*}011,0101{
**}*{*}0100*,*00{
Extract and permute the prefixes
***1 011*, 0101,**** 0100, *,*00
Numericalize the prefixes
11000 01110, 01011,10000 01001, 00100,
Encrypt by Net1
111
111
KKK
KKK
(11000) ,(01110) ,(01011)(10000) ,(01001) ,(00100)
Encrypt by Net2
212121
212121
KKKKKK
KKKKKK
)(11000) ,)(01110) ,)((01011))(10000) ,)(01001) ,)((00100)
Reconstruct non-overlapping Rules by Net1
d
d
d
}){(10000)}){(11000):45
)(11000))((01110))(01011)
)(01110))((01011)
:13
}){(10000))(01001))((00100)
:27
2121
21
21
21
21
21
21
21
21
KKKK
KK
KK
KK
KK
KK
KKKK
KK
12
Processing FW2
dFFraFFrdFFraFFr
]15,0[]15,0[ : ]5 ,0[]15,6[ : ]15,7[]5 ,0[ : ]15,7[]2 ,0[ :
214
213
212
211
Construct the all-match FDD
Extract non-overlapping rules
Convert values to prefix families
**** **,***,1*0**11 *,*01 *,*00
*111 011*, 010*,*000 1111, 0111,
0110 0101, 0000,
,
**** **,*1***0 *,*11 *,*01
**00 111*, 011*,*010 001*, 000*,
1111 0110, 0101,0011 0010, 0000,
Numericalize and encrypt by Net2
[0, 2] [6, 15]F1
[0, 6]
F2 F2[0,6]
F2[7, 15] [7,15]
[3, 5]
4 1,2,4 4 2,4d a d d
[0, 5] [6, 15]
3,4 4d a
dFFnraFFnrdFFnrdFFnraFFnrdFFnr
]15,6[]15 ,6[ : ]5 ,0[]15 ,6[ : ]15,7[]5 ,3[ : ]6 ,0[]5 ,3[ : ]15,7[]2 ,0[ : ]6 ,0[]2 ,0[ :
216
215
214
213
212
211
)}15(),6({)}15(),6({ : )}5(),0({)}15(),6({ : )}15(),7({)}5(),3({ :
)}6(),0({)}5(),3({ : )}15(),7({)}2(),0({ :
)}6(),0({)}2(),0({ :
6
5
4
3
2
1
FFFFFFFF
FFFFFFFFFFFFFFFF
nrnrnrnrnrnr
2
2
2
2
2
2
2
K
K
K
K
K
K
K
(10000)(11000)
(01110)
(01011)
,
(11000)
(00100)
(01011)
12
12
12
12
12
12
12
KK
KK
KK
KK
KK
KK
KK
)((10000))((11000)
)((01110)
)((01011)
,
)((11000)
)((00100)
)((01011)
Extract and permute prefixes for each filed
Encrypt by Net1
13
Comparing FW1 and FW2
Compare two reconstructed firewalls by Net1
d
d
d
}){(10000)}){(11000):45
)(11000))((01110))(01011)
)(01110))((01011)
:13
}){(10000))(01001))((00100)
:27
2121
21
21
21
21
21
21
21
21
KKKK
KK
KK
KK
KK
KK
KKKK
KK
12
12
12
12
12
12
12
KK
KK
KK
KK
KK
KK
KK
)((10000))((11000)
)((01110)
)((01011)
,
)((11000)
)((00100)
)((01011)
}45 27, 13, : )15( ,45 27, 13, : )6({}45 : )15( ,13 : )6({ : }45 27, 13, : )5( ,45 27, : )0({}45 : )15( ,13 : )6({ : }45 27, 13, : )15( ,45 27, 13, : )7({}13 : )5( ,27 : )3({ : }45 27, 13, : )6( ,45 27, : )0({}13 : )5( ,27 : )3({ : }45 27, 13, : )15( ,45 27, 13, : )7({}27 : )2( ,27 : )0({ : }45 27, 13, : )6( ,45 27, : )0({}27 : )2( ,27 : )0({ :
6
5
4
3
2
1
FFFFFFFF
FFFFFFFF
FFFFFFFF
nrnrnrnrnrnr
Find corresponding prefix families in FW2 by Net2
45,27:)((10000) 13:)((11000)
: 13:)((01110)
: 13:)((01011)
:
,
: 45:)((11000)
: 27:)((00100)
: 13:)((01011)
:
12
12
12
12
12
12
12
KK
KK
KK
KK
KK
KK
KK
FW1 FW2
14
Remove redundant rules
Candidate redundant rule set {1, 2, 4}.
However, because
(1) 4 is the first rule in the third and last paths
(2) 2 is the first rule in the fourth parh
The redundant rules in FW2 is r1
Identify redundant rules
[0, 2] [6, 15]F1
[0, 6]
F2 F2
[0,6]
F2
[7, 15] [7,15]
[3, 5]
4 1,2,4 4 2,4d a d d
[0, 5] [6, 15]
3,4 4d a
15
Net1 changes its FW1 without notifying Net2
How about Net1 misbehaves?
FW2
r2
r3
r4
nr1
nr2
FW1
Periodically check
16
Experimental Results (1/4) We conducted experiments on both real and synthetic firewalls For real firewalls
Our approach achieves significant compression on four real firewall groups
Redundancy ratios for 5 real firewall groups
17
Experimental Results (2/4)
For real firewalls Our approach is efficient for the conversion and comparison of two real ACLs
Processing FW1 on real firewalls
18
Experimental Results (3/4) For synthetic firewalls with the number of rules from 200 to 2000
For the conversion of FW1
• The processing time of Net1 is less than 400 seconds and the processing time of Net2 is less than 5 seconds
• The communication costs are less than 450 KB
Processing FW1 on synthetic firewalls
19
Experimental Results (4/4) For synthetic firewalls with the number of rules from 200 to 2000
For the conversion of FW2
• The processing time of Net2 also is less than 400 seconds and the processing time of Net1 is less than 20 seconds
• The communication cost is less than 1600 KB
Processing FW2 on synthetic firewalls
20
Experimental Results For synthetic firewalls with the number of rules from 200 to 2000
The comparison time of two synthetic firewalls is less than 4 seconds
Comparing two synthetic firewalls
21
Questions
Thank you!